b'Report No. D-2010-058                          May 14, 2010\n\n\n\n\n     Selected Controls for Information Assurance at the\n             Defense Threat Reduction Agency\n\x0cAdditional Copies\nTo obtain additional copies of this report, visit the Web site of the Department of Defense\nInspector General at http://www.dodig.mil/audit/reports or contact the Secondary Reports\nDistribution Unit at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\nSuggestions for Audits\nTo suggest or request audits, contact the Office of the Deputy Inspector General for\nAuditing by phone (703) 604-9142 (DSN 664-9142), by fax (703) 604-8932, or by mail:\n\n                      ODIG-AUD (ATTN: Audit Suggestions)\n                      Department of Defense Inspector General\n                      400 Army Navy Drive (Room 801)\n                      Arlington, VA 22202-4704\n\n\n\n\nAcronyms and Abbreviations\nASD(NII)/DOD CIO              Assistant Secretary of Defense (Networks and Information\n                                 Integration)/DOD Chief Information Officer\nCND-SP                        Computer Network Defense-Service Provider\nDAA                           Designated Approving Authority\nDFARS                         Defense Federal Acquisition Regulation Supplement\nDTRA                          Defense Threat Reduction Agency\nFISMA                         Federal Information Security Management Act\nGAO                           Government Accountability Office\nIA                            Information Assurance\nIAM                           Information Assurance Management\nIASAE                         Information Assurance System Architect and Engineer\nIAT                           Information Assurance Technical\nNIST                          National Institute on Standards and Technology\n\x0c----------------------------------------------------\n\n\n\n\n                                    INSPECTOR GENERAL \n \n\n                                    DEPARTMENT OF DEFENSE \n \n\n                                      400 ARMY NAVY DRIVE \n \n\n                                 ARLINGTON, VIRGINIA 22202-4704 \n \n\n                                                                                     MAY 14 ZOlO\n\n   MEMORANDUM FOR UNDER SECRETARY OF DEFENSE FOR ACQUISITION,\n                    TECHNOLOGY, AND LOGISTICS\n                  ASSISTANT SECRETARY OF DEFENSE (NETWORKS\n                    AND INFORMATION INTEGRATION)IDOD CHIEF\n                    INFORMATION OFFICER\n                  ASSISTANT TO THE SECRETARY OF DEFENSE FOR\n                    NUCLEAR AND CHEMICAL AND BIOLOGICAL\n                    DEFENSE PROGRAMS\n                  DIRECTOR, DEFENSE THREAT REDUCTION AGENCY\n\n   SUBJECT: Selected Controls for Information Assurance at the Defense Threat Reduction\n           Agency (Report No. D-201 0-058)\n\n   We are providing this report for your information and use. We considered management\n   comments on a draft of this report when preparing the final report. The Assistant\n   Secretary of Defense (Networks and Information Integration)IDOD Chief Information\n   Officer and the Director, Defense Threat Reduction Agency, comments conformed to the\n   requirements of DOD Directive 7650.3; therefore, we do not require additional\n   comments.\n\n   We appreciate the courtesies extended to the staff.\' Please direct questions to\n   Mr. Robert F. Prinzbach II at (703) 604-8907 (DSN 664-8907).\n\n\n\n                                               &~~{~\n                                                 Acting Assistant Inspector General\n                                                 Readiness, Operations, and Support\n\x0c\x0cReport No. D-2010-058 (Project No. D2009-D000LB-0216.000)\t\t                          May 14, 2010\n\n\n               Results in Brief: Selected Controls for\n               Information Assurance at the Defense Threat\n               Reduction Agency\n                                                          remained active after 30 days. This occurred\nWhat We Did                                               because internal controls were not in place to\nThe objectives of this audit were to determine            notify information system representatives when\nwhether personnel responsible for information             personnel left the agency and to ensure that\nassurance were certified in accordance with               system administrators review inactive accounts\nregulations and whether information system                in accordance with DTRA guidance. As a\naccounts were disabled when employees left the            result, unauthorized individuals could have\nagency. We reviewed designations of                       accessed sensitive information within agency\ninformation assurance personnel and their                 information systems and networks.\ncorresponding certification status. We also\nreviewed whether information system accounts              What We Recommend\nwere disabled in a timely manner.                         We recommend that the Assistant Secretary of\n                                                          Defense (Networks and Information\nWhat We Found                                             Integration)/DOD Chief Information Officer\nAs of August 2009, the date of the Defense                (ASD[NII]/DOD CIO) modify DOD 8570.01-M\nThreat Reduction Agency (DTRA) response to                to require all DOD information assurance\nDOD for the 2009 Federal Information Security             personnel to authorize release of their\nManagement Act report, DTRA needed 80                     certification qualifications in the Defense\nadditional information assurance personnel to be          Workforce Certification Application. We also\ncertified to meet December 2009 certification             recommend that the Director, DTRA:\nmilestones. DTRA also did not follow                          \xe2\x80\xa2\t\t develop and implement an adequate\nregulations for identification and certification of               process to identify information assurance\ninformation assurance personnel. These                            personnel and monitor their certification\nconditions occurred because DTRA did not have                     status,\nadequate internal controls in place and did not               \xe2\x80\xa2\t\t notify system representatives when\nadequately oversee its information assurance                      personnel leave the agency, and\nworkforce. As a result, the DTRA information                  \xe2\x80\xa2\t\t review active accounts at least monthly\nassurance workforce may not have an adequate                      and suspend inactive accounts in\nunderstanding of the concepts, principles, and                    accordance with DTRA guidance.\napplications of information assurance to\nenhance the protection and availability of                Management Comments and\ninformation systems and networks. In addition,            Our Response\ndata made available by DTRA to DOD and\n                                                          The Acting Deputy Assistant Secretary of\nCongress were inaccurate and incomplete.\n                                                          Defense (Identity and Information Assurance) in\nDTRA did not disable 17 accounts within\n                                                          the Office of the ASD(NII)/DOD CIO and the\n9 information systems and networks after\n                                                          Director, DTRA, agreed with the\npersonnel left the agency. Additionally, of\n                                                          recommendations. Management comments\n87 disabled accounts that we reviewed,\n                                                          were responsive to the recommendations. No\n84 accounts remained active 5 days after the\n                                                          additional comments are required.\npersonnel left the agency, and 66 accounts\n\n\n                                                      i\n\x0cReport No. D-2010-058 (Project No. D2009-D000LB-0216.000)                 May 14, 2010\n\nRecommendations Table\n\n         Management                 Recommendations         No Additional Comments\n                                   Requiring Comment              Required\nAssistant Secretary of Defense                              A.3\n(Networks and Information\nIntegration)/DOD Chief\nInformation Officer\n\nDirector, Defense Threat                                    A.1.a-g, A.2, B.1, and B.2\nReduction Agency\n\n\n\n\n                                          ii\n\x0cTable of Contents\n\nIntroduction                                                                       1\n\n\n\n      Objectives                                                                   1\n\n\n      Background                                                                   1\n\n\n      Review of Internal Controls                                                  1\n\n\n\nFinding A. Identification and Certification of Information Assurance Personnel     3\n\n\n\n      Recommendations, Management Comments, and Our Response                      13\n\n\n\nFinding B. Disabling of Accounts                                                  17\n\n\n\n      Recommendations, Management Comments, and Our Response                      20\n\n\n\nAppendix\n\n      Scope and Methodology                                                       22\n\n\n\nManagement Comments\n\n      Assistant Secretary of Defense (Networks and Information Integration)/DOD \n\n      Chief Information Officer                                                   25 \n\n\n      Defense Threat Reduction Agency                                             26 \n\n\x0cIntroduction\nObjectives\nThe objectives of this audit were to determine whether Defense Threat Reduction Agency\n(DTRA) personnel responsible for information assurance (IA) were certified in\naccordance with regulations and whether information system accounts were disabled\nwhen employees left the agency. We reviewed designations of information assurance\npersonnel and their corresponding certification status. We also reviewed whether\ninformation system accounts were disabled in a timely manner. See the Appendix for a\ndiscussion of the scope and methodology and prior coverage related to the objectives.\n\nBackground\nDTRA is responsible for safeguarding the United States and its allies from weapons of\nmass destruction by providing capabilities to reduce, eliminate, and counter the threat and\nmitigate their effects. DTRA is a DOD Agency that reports to the Under Secretary of\nDefense for Acquisition, Technology, and Logistics through the Assistant to the\nSecretary of Defense for Nuclear and Chemical and Biological Defense Programs.\n\nThe Assistant Secretary of Defense for Networks and Information Integration/DOD Chief\nInformation Officer (ASD[NII]/DOD CIO) is the principal staff assistant and advisor to\nthe Secretary of Defense for DOD information and information technology matters\nincluding IA.\n\nThe Federal Information Security Management Act (FISMA) of 2002 was passed as part\nof the E-Government Act of 2002 (Public Law 107-347). FISMA provides a\ncomprehensive framework for ensuring the effectiveness of information security controls\nover information resources that support Federal operations and assets. Each Federal\nagency (for example, DOD) is required to report annually to Congress on compliance\nwith requirements and the adequacy and effectiveness of information security policies,\nprocedures, and practices.\n\nDOD Directive 8500.01E, \xe2\x80\x9cInformation Assurance,\xe2\x80\x9d October 24, 2002, establishes policy\nto achieve IA across DOD. DOD Instruction 8500.02, \xe2\x80\x9cInformation Assurance\nImplementation,\xe2\x80\x9d February 6, 2003, implements policy and prescribes procedures for\napplying integrated, layered protection of DOD information systems and networks. DOD\nInstruction 8500.02 defines IA as measures that protect and defend information and\ninformation systems by ensuring their availability, integrity, authentication,\nconfidentiality, and non-repudiation.\n\nReview of Internal Controls\nDOD Instruction 5010.40, \xe2\x80\x9cManagers\xe2\x80\x99 Internal Control (MIC) Program Procedures,\xe2\x80\x9d\nJanuary 4, 2006, requires DOD organizations to implement a comprehensive system of\ninternal controls that provides reasonable assurance that programs are operating as\nintended and to evaluate the effectiveness of the controls. We identified internal control\n\n\n                                             1\n\n\n\x0cweaknesses for DTRA. DTRA did not have the following internal controls to adequately\nidentify their IA workforce and monitor the IA workforce certification status: an ongoing\nprocess to identify personnel that had IA responsibilities and monitor whether the\npersonnel obtained the appropriate certifications, a central repository of IA certifications,\nand an adequate tracking tool to identify IA personnel and track their progress in\nobtaining the appropriate certifications. DTRA did not have internal controls to ensure\nthat system representatives for all DTRA systems were notified when personnel left the\nagency to enable the system representatives to promptly disable system accounts.\nAdditionally, DTRA did not have internal controls in place to ensure that inactive\naccounts were disabled in accordance with agency guidance. Implementing\nrecommendations A.1 and A.2 will improve DTRA processes to identify its IA workforce\nand monitor the IA workforce certification status. Implementing recommendations B.1\nand B.2 will improve DTRA processes to disable accounts for personnel that leave the\nagency. These improvements will reduce potential vulnerabilities within DTRA\xe2\x80\x99s\ninformation systems. We will provide a copy of the report to the senior official\nresponsible for internal controls in DTRA and in the Office of the Under Secretary of\nDefense for Acquisition, Technology, and Logistics.\n\n\n\n\n                                             2\n\n\n\x0cFinding A. Identification and Certification of\nInformation Assurance Personnel\nAs of August 2009, the date of the DTRA response to DOD for the 2009 FISMA report,\nonly 35.2 percent of DTRA IA personnel met certification requirements, and DTRA\nneeded 80 additional IA personnel to be certified to meet December 2009 certification\nmilestones. Additionally, DTRA personnel did not follow regulations for identification\nand certification of personnel having IA responsibilities. DTRA:\n\n   \xe2\x80\xa2\t\t reported inaccurate information for IA personnel onboard and certified in its\n       response to the DOD data call for the 2009 FISMA report,\n   \xe2\x80\xa2\t\t did not properly input data on IA personnel in the Defense Civilian Personnel\n       Data System, and\n   \xe2\x80\xa2\t\t did not require that its IA workforce authorized release of their certification\n       information in the Defense Workforce Certification Application.\n\nThese conditions occurred because DTRA did not provide adequate oversight of its IA\nworkforce. DTRA:\n\n   \xe2\x80\xa2\t\t did not have an adequate process in place to identify IA personnel and monitor\n       whether IA personnel obtained the appropriate certifications and\n   \xe2\x80\xa2\t\t did not ensure that contract language requiring all contractor personnel to be\n       certified was added to contracts for IA services.\n\nAs a result, DTRA\xe2\x80\x99s IA workforce may not have an adequate understanding of the\nconcepts, principles, and applications of IA to enhance the protection and availability of\nDTRA\xe2\x80\x99s information systems and networks. Further, DOD and Congress did not have\naccurate information on DTRA\xe2\x80\x99s IA workforce and progress towards meeting\ncertification requirements established by DOD guidance.\n\nIA Workforce Background\nAn IA workforce consists of personnel that focus on the operation and management of IA\ncapabilities for DOD systems and networks. The workforce ensures that adequate\nsecurity measures and established IA policies and procedures are applied to all\ninformation systems and networks.\n\nDOD Directive 8570.01, \xe2\x80\x9cInformation Assurance Training, Certification, and Workforce\nManagement,\xe2\x80\x9d August 15, 2004, establishes policy and assigns responsibility for DOD\nIA training, certification, and workforce management. DOD Manual 8570.01-M,\n\xe2\x80\x9cInformation Assurance Workforce Improvement Program,\xe2\x80\x9d December 19, 2005,\nimplements DOD Directive 8570.01 and provides guidance for the identification and\ncategorization of positions and certification of personnel conducting IA functions, and\nestablishes IA workforce oversight and management reporting requirements. The\nDefense-Wide Information Assurance Program of the ASD(NII)/DOD CIO provides IA\n\n\n                                             3\n\n\n\x0cworkforce management oversight and coordination for the requirements established in\nDOD 8570.01-M. DOD 8570.01-M applies to all civilian, military, and contractor\npersonnel that perform IA functions.\n\nDOD 8570.01-M requires all DOD Components to identify their IA positions and the\npersonnel that fill those positions. The DOD Components must designate each IA\nposition with an IA category or specialty. IA categories and specialties are further\ndivided into levels based on functional skill requirements and/or system environment\nfocus. IA categories include:\n\n   \xe2\x80\xa2\t\t IA technical (IAT) Levels I, II, and III and\n   \xe2\x80\xa2\t\t IA management (IAM) Levels I, II, and III, as well as the Designated Approving\n       Authority (DAA).\n\nIA specialties include:\n\n   \xe2\x80\xa2\t\t IA Systems Architect and Engineer (IASAE) Levels I, II, and III and\n   \xe2\x80\xa2\t\t Computer Network Defense Service Provider (CND-SP):\n          o\t\t analyst,\n          o\t\t infrastructure support,\n          o\t\t incident responder,\n          o\t\t auditor, and\n          o\t\t manager.\n\nPersonnel that fill an IA position (except a DAA position) are required to obtain a\nspecific baseline certification as established by DOD 8570.01-M. According to DOD\n8570.01-M, baseline certifications are approved certifications that DOD uses to establish\ntechnical and management IA skills across DOD. Further, DOD 8570.01-M requires that\npersonnel designated in some categories and specialties also obtain a computing\nenvironment certification. Computing environment certifications ensure that personnel\ncan effectively apply IA requirements to hardware and software systems. Personnel that\nfill DAA positions are required to complete an approved DAA-related certification\ncourse. See Table 1 for the certifications required for IA categories and specialties.\n\n        Table 1. Certifications Required for IA Categories and Specialties\n  Category/Specialty             Baseline Certification Computing Environment\n                                 Required               Certification Required\n  IAT Levels I, II, and III      Yes                    Yes\n  IAM Levels I, II, and III      Yes                    No\n  IASAE Levels I, II, and III    Yes                    No\n  CND-SP analyst                 Yes                    Yes\n  CND-SP infrastructure support Yes                     Yes\n  CND-SP incident responder      Yes                    Yes\n  CND-SP auditor                 Yes                    Yes\n  CND-SP manager                 Yes                    No\n\n\n\n                                            4\n\n\n\x0cDOD 8570.01-M establishes milestones that DOD Components must meet. Specifically,\nDOD Components are required to:\n\n   \xe2\x80\xa2\t\t identify their IA workforce positions and fill 10 percent of the IA positions with\n       certified personnel by December 31, 2007;\n   \xe2\x80\xa2\t\t fill a total of 40 percent of their IA positions with certified personnel by\n\n\n       December 31, 2008;\n\n\n   \xe2\x80\xa2\t\t fill a total of 70 percent of their IA positions with certified personnel by\n\n\n       December 31, 2009;\n\n\n   \xe2\x80\xa2\t\t fill all IAT and IAM category positions with certified personnel by December 31,\n       2010; and\n   \xe2\x80\xa2\t\t fill all CND-SP and IASAE specialty positions with certified personnel by \n\n       December 31, 2011.\n\n\n\nDOD Required Certification Milestones and Reporting of\nInformation Assurance Personnel\nAs of August 2009, only 35.2 percent of DTRA IA personnel met certification\nrequirements, and DTRA needed 80 additional IA personnel to be certified to meet\nDecember 2009 certification milestones. Additionally, DTRA personnel did not follow\nestablished guidance for identification and certification requirements of personnel having\nIA responsibilities. DTRA:\n\n   \xe2\x80\xa2\t\t reported inaccurate information for IA personnel onboard and certified in its\n       response to the DOD data call for the 2009 FISMA report,\n   \xe2\x80\xa2\t\t did not properly input data on IA personnel in the Defense Civilian Personnel\n       Data System, and\n   \xe2\x80\xa2\t\t did not require that its IA workforce authorized release of their certification\n       information in the Defense Workforce Certification Application.\n\nDTRA Compliance with DOD Certification Milestones\nAs of August 2009, only 35.2 percent of DTRA IA personnel met certification\nrequirements, and DTRA needed 80 additional IA personnel to be certified to meet\nDecember 2009 certification milestones. DOD 8570.01-M required DOD Components to\nfill a total of 40 percent of the IA positions with certified personnel by the end of 2008\nand fill a total of 70 percent of the positions with certified personnel by the end of 2009.\nIn the 2008 IA Workforce Improvement Program Report sent to ASD(NII)/DOD CIO,\nDTRA reported that 45 percent of its personnel with IA responsibilities obtained\ncertifications. Based on DTRA\xe2\x80\x99s reported numbers, DTRA exceeded the required\nmilestone for 2008. However, between the end of 2008 and August 2009, DTRA\xe2\x80\x99s\nnumber of certified personnel decreased. In August 2009, DTRA reported in its official\nresponse for the 2009 FISMA report, that only 31.2 percent of its IA workforce was\ncertified. DTRA attributed the decrease to a change in a contractor for information\ntechnology services at DTRA. However, as we discuss later in the report, all of the\npersonnel included in the contract should have been certified prior to beginning work at\nDTRA. As of August 2009, we verified that 35.2 percent of the DTRA IA workforce had\n\n\n                                             5\n\n\n\x0cthe appropriate baseline certifications. DTRA needed 80 additional personnel to be\ncertified prior to the end of 2009 to meet the 70 percent milestone as required by DOD\n8570.01-M.\n\nWe did not determine whether personnel designated in the IAT category or CND-SP\nspecialty obtained the appropriate computing environment certifications because the\nDOD Components did not have to include the number of personnel that held a computing\nenvironment certification in the 2009 FISMA response. However, according to FISMA\ninstructions, the 2009 IA Workforce Improvement Program Report, due on December 31,\n2009, requires that DOD Components report the number of personnel that have obtained\ncomputing environment certifications. Based on documentation that we received, a\nsubstantially lower number of DTRA personnel have obtained both the IA baseline and\ncomputing environment certifications. Once FISMA requires agencies to report this\ninformation, DTRA\xe2\x80\x99s percentage of personnel that are adequately certified may decrease\nsignificantly.\n\nDTRA\xe2\x80\x99s Response to DOD Data Call for 2009 FISMA Report\nDTRA reported inaccurate information for IA personnel onboard and certified in its\nresponse to the DOD data call for the 2009 FISMA report. DTRA reported in August\n2009 that it had 205 IA personnel, of which 64 were certified (31.2 percent). However,\nwe found that DTRA had 230 IA personnel, of which 81 were certified (35.2 percent).\nDTRA\xe2\x80\x99s August 2009 report had multiple errors and was incomplete. Table 2 provides a\nsummary of DTRA\xe2\x80\x99s FISMA response and our results of verified IA personnel and\ncertifications.\n\n                Table 2. DTRA IA Personnel and Personnel Certified\n               DTRA 2009 FISMA Response           Inspector General-Verified Data\n Category      # IA         #           %          # IA          #           %\n             Personnel   Certified   Certified   Personnel    Certified   Certified\nIAT I               28          5       17.9%           32           7       21.9%\nIAT II             156         52       33.3%          158          63       39.9%\nIAT III              4          3       75.0%            4           3       75.0%\nIAM I                1          0        0.0%            1           0        0.0%\nIAM II              11          2       18.2%           12           1        8.3%\nIAM III              4          1       25.0%            7           2       28.6%\nCND-SP               0          0        0.0%           13           4       30.8%\nIASAE                0          0        0.0%            2           0        0.0%\nDAA                  1          1     100.0%             1           1     100.0%\nTotal              205         64      31.2%           230          81      35.2%\n\n\nWe identified that the IA workforce information for DTRA within the 2009 FISMA\nresponse was inaccurate and incomplete.\n\n\n\n\n                                             6\n\x0cWe identified the following types of errors:\n\n   \xe2\x80\xa2   mathematical inaccuracies,\n   \xe2\x80\xa2   IA personnel and certifications excluded from 2009 FISMA response,\n   \xe2\x80\xa2   incorrect category or specialty for personnel and certifications, and\n   \xe2\x80\xa2   improper certifications for IA category.\n\nMathematical Accuracy\nDTRA personnel miscounted the number of IA personnel in the DTRA IA workforce, as\nwell as the number of IA personnel that were certified. We initially attempted to\nreconcile the 2009 FISMA response data to documentation that DTRA provided;\nhowever, the documentation did not always match DTRA\xe2\x80\x99s 2009 FISMA response.\n\nWe found 12 mathematical errors in DTRA\xe2\x80\x99s reported numbers for IA personnel. As a\nresult, DTRA had undercounted the number of IA personnel by four. Additionally, we\nfound one mathematical error in DTRA\xe2\x80\x99s reported numbers for certified personnel\nresulting in an understatement of one certified person.\n\nAdditional IA Personnel and Certifications\nDTRA should have included an additional 21 IA personnel as part of the 2009 FISMA\nresponse. Specifically, we identified 19 additional IA personnel and 19 additional\ncertifications that DTRA had not identified prior to their FISMA response. DTRA\ncounted certifications for two contractor personnel that were not included in the number\nof personnel within the IA workforce. DTRA personnel agreed that those two personnel\nshould have been included in the number of personnel within the IA workforce in the\nFISMA response.\n\nCategorization of Personnel and Certifications\nDTRA did not appropriately categorize personnel and corresponding certifications in\ntheir 2009 FISMA response. We learned from personnel with oversight responsibilities\nof the Network Operations Support Center that 12 DTRA personnel designated at the\nIAT II Level in the FISMA response were actually performing CND-SP functions.\nAdditionally, 4 of the 12 personnel had certifications, which DTRA also counted at the\nIAT II Level on the 2009 FISMA response. DOD 8570.01-M was modified on May 15,\n2008, to require DOD Components to identify any personnel performing CND-SP or\nIASAE functions in its FISMA response.\n\nAppropriateness of Certifications for IA Category and Level\nThree personnel identified on the 2009 FISMA response did not have the correct\ncertification for their designated category and level, which caused the number of certified\npersonnel to be overstated by three. For example, one of the employees at the IAT II\nLevel had obtained the Certified Information Security Management certification. A\nDTRA official stated that they included this certification in the FISMA response;\nhowever, the DOD 8570.01-M requires personnel at the IAT II Level to obtain a Global\nInformation Assurance Certification Security Essentials Certification, Security+\n\n\n\n                                               7\n\n\n\x0ccertification, Security Certified Network Professional certification, or System Security\nCertified Practitioner certification.\n\nTable 3 identifies the discrepancies in IA personnel data included in the 2009 FISMA\nresponse.\n\n           Table 3. IA Personnel Data Discrepancies in 2009 FISMA Response\n  Category            DTRA             Math             IA              Incorrect        Verified\n                      FISMA            Errors        Personnel          Category/\n                     Response                        Excluded           Specialty\nIAT I                    28              4                  0                 0               32\nIAT II                  156             -2*                16               -12              158\nIAT III                   4              0                  0                0                 4\nIAM I                     1              0                  0                0                 1\nIAM II                   11              1                  0                0                12\nIAM III                   4              1                  2                0                 7\nCND-SP                    0              0                  1               12                13\nIASAE                     0              0                  2                0                 2\nDAA                       1              0                  0                0                 1\nTotal                   205              4                 21                0               230\n* Result of a DTRA overcount of the number of contractors by four and an undercount of the number of\ncivilians by two.\n\nTable 4 identifies the discrepancies in IA certifications included in the 2009 FISMA\nresponse.\n\n           Table 4. IA Certifications Discrepancies in 2009 FISMA Response\nCategory      DTRA            Math       Certifications         Incorrect       Improper       Verified\n              FISMA           Errors      Excluded              Category/      Certificate\n             Response                                           Specialty     for Category\nIAT I            5              1               1                   0               0                7\nIAT II          52              0               17                 -4               -2              63\nIAT III          3              0               0                   0                0               3\nIAM I            0              0               0                   0                0               0\nIAM II           2              0               0                   0               -1               1\nIAM III          1              0               1                   0                0               2\nCND-SP           0              0               0                   4                0               4\nIASAE            0              0               0                   0                0               0\nDAA              1              0               0                   0                0               1\nTotal           64              1               19                  0               -3              81\n\n\n\n\n                                                     8\n\n\n\x0cIA Personnel Data in the Defense Civilian Personnel Data\nSystem\nDTRA did not properly input data on IA personnel in the Defense Civilian Personnel\nData System. DOD 8570.01-M requires DOD Components to enter information into the\nDefense Civilian Personnel Data System for civilian personnel with IA responsibilities.\nFurther, the Director, Civilian Personnel Management Service, and the Under Secretary\nof Defense for Personnel and Readiness instructed DOD Components in June 2007 and\nAugust 2008, respectively, to enter data into the Defense Civilian Personnel Data System\nfor those civilian personnel with IA responsibilities. As of July 2009, personnel from the\nCivilian Personnel Management Service stated that they were unable to identify any IA\ndata for DTRA civilians within the Defense Civilian Personnel Data System and that\nDTRA should designate these positions. We met with DTRA personnel who are\nresponsible for submitting information to the Defense Logistics Agency so the\ninformation could be put in the system. The personnel stated that they had not received\nthe required information from the DTRA personnel responsible for the IA workforce\nprogram. Therefore, as of September 2, 2009, DTRA had not provided IA information to\nthe Defense Logistics Agency so the information could be put in the system. The Under\nSecretary of Defense for Personnel and Readiness emphasized in his August 2008\nmemorandum the importance of entering proper and accurate data into the Defense\nCivilian Personnel Data System by stating that it is \xe2\x80\x9cparamount to accurate workforce\nmanagement, analysis, and reporting.\xe2\x80\x9d Additionally, the 2009 FISMA guidance states\nthat the Defense Civilian Personnel Data System will be used for reporting the status of\nall Component civilian positions and personnel for the 2009 IA Workforce Improvement\nProgram annual report due on December 31, 2009. DTRA should populate the required\nfields for those civilians with IA responsibilities to comply with DOD requirements and\nto better track IA personnel.\n\nInformation in the Defense Workforce Certification Application\nDTRA did not ensure that its IA workforce authorized release of certification information\nin the Defense Workforce Certification Application. A document published by the\nDefense Information Systems Agency stated that IA workforce personnel must access the\nDefense Workforce Certification Application and authorize the release of their\ncertification information from the certification vendor to DOD. The Defense Information\nSystems Agency document stated that releasing the certification status to DOD using the\nDefense Workforce Certification Application is the official means of notifying DOD of\ntheir certification status, and that the application is the official source of IA certification\ninformation for civilian, military, and contractor personnel. The application is intended\nto populate personnel databases, such as the Defense Civilian Personnel Data System\nwith information. This would serve as verification that personnel, particularly civilians,\nhave in fact obtained their certifications. However, DOD 8570.01-M makes no mention\nof the application. Instead, DOD 8570.01-M states that \xe2\x80\x9call personnel must agree to\nrelease their certification qualification(s) to the Department of Defense.\xe2\x80\x9d If the\nASD(NII)/DOD CIO wants to mandate that DOD Components use the Defense\nWorkforce Certification Application, it should establish policy or modify DOD\n8570.01-M. Additionally, DTRA should require their IA workforce to authorize release\nof their certification information using the Defense Workforce Certification Application.\n\n\n                                              9\n\n\n\x0cDTRA Oversight of IA Workforce\nDTRA did not meet the certification milestones established by DOD 8570.01-M and did\nnot accurately report its IA personnel and certification progress in the 2009 FISMA\nresponse or to DOD because DTRA did not adequately oversee its IA workforce.\nSpecifically, DTRA:\n\n   \xe2\x80\xa2\t\t did not have an adequate process in place to identify IA personnel and monitor\n       whether the IA personnel obtained the appropriate certifications and\n   \xe2\x80\xa2\t\t did not ensure that contract language requiring all contractor personnel to be\n       certified was added to contracts for IA services.\n\nProcess Used to Identify IA Personnel and Monitor Certifications\nDTRA did not have an adequate process in place to identify IA personnel and monitor\nwhether the IA personnel obtained the appropriate certifications. Specifically, DTRA did\nnot:\n    \xe2\x80\xa2\t\t have an ongoing process in place to identify personnel that had information\n        assurance responsibilities and monitor whether the personnel obtained the\n        appropriate certifications,\n    \xe2\x80\xa2\t\t track whether new personnel obtained the required certifications,\n    \xe2\x80\xa2\t\t maintain a central repository of IA certifications, and\n    \xe2\x80\xa2\t\t have an adequate tool to identify IA personnel and track their progress in\n\n\n        obtaining the appropriate certifications. \n\n\nOngoing Process to Identify IA Workforce and Monitor Certifications\nDTRA did not have an ongoing process in place to identify personnel that had IA\nresponsibilities and monitor whether those personnel obtained the appropriate\ncertifications. The DTRA official responsible for compiling IA personnel data stated that\nDTRA performed a data call in early July 2009 asking each program manager to identify\npersonnel within their area that had IA responsibilities. The DTRA official stated that\nshe did not receive many responses. Further, of the information that DTRA personnel did\nhave, DTRA had not verified the information until 2 weeks before the 2009 FISMA\nresponse was due. We believe this contributed to some of the errors we found in the\nFISMA response. DTRA could become cognizant of their IA workforce by establishing\nan ongoing process to obtain feedback from designated points of contact throughout the\nagency to identify when new IA personnel come onboard and to know which of the\ncurrent personnel perform IA functions. In addition, this process would provide more\ntimely notice of personnel who had recently obtained the appropriate IA certifications.\nFurther, DTRA personnel responsible for identifying the IA workforce should verify the\ninformation provided by these points of contact.\n\nTracking of New Personnel\nDTRA did not track whether new civilian and military personnel obtained the required\ncertifications within 6 months. DOD 8570.01-M requires that IA civilian and military\npersonnel obtain the appropriate certifications within 6 months of beginning their\npositions unless a waiver is granted. If personnel do not obtain the appropriate\n\n\n                                           10\n\n\x0ccertifications within the timeframe, they are not permitted to execute the responsibilities\nof the position or not permitted privileged system access. According to the Defense-\nWide Information Assurance Program, personnel must be certified within 6 months of\nbeginning a job, even when switching from one internal position to another. The DTRA\nofficial responsible for compiling IA personnel data stated that DTRA does not track\narrival dates for personnel with IA responsibilities. DTRA should identify and track\nwhether new civilian and military information assurance personnel obtain the appropriate\ncertifications within 6 months of beginning work in an information assurance position in\naccordance with DOD 8570.01-M.\n\nDTRA and contractor personnel also did not ensure that one contractor provided certified\nIA contractor personnel prior to beginning work at DTRA. One of the seven contracts\nthat provided for personnel with IA responsibilities included a required Defense Federal\nAcquisition Regulation Supplement (DFARS) clause in the contract language, which\nrequires IA contractor personnel to be certified in accordance with DoD 8570.01-M.\nHowever, based on information provided by a contractor representative, neither the\ncontractor nor the contracting officer ensured that the IA contractor personnel were\ncertified prior to beginning work at DTRA.\n\nDFARS 252.239-7001, \xe2\x80\x9cInformation Assurance Contractor Training and Certification,\xe2\x80\x9d\nincludes the clause that requires the contractor to provide a certified IA workforce. DOD\n8570.01-M requires contractor personnel performing IA functions to be \xe2\x80\x9cappropriately\ncertified prior to being engaged\xe2\x80\x9d and states that the contracting officer should ensure that\ncontractor personnel are appropriately certified.\n\nAccording to a file obtained from the contractor used to monitor the certification status of\nits contractor personnel, 57 personnel of 124 (or 46 percent) had the appropriate\ncertifications as of August 2009. According to the contractor, as of September 2009, the\ncontractor increased the number of its own contractor personnel with IA baseline\ncertifications to 62 percent. According to the information provided by the contractor\nrepresentative, the contractor has made progress in increasing its number of certified\npersonnel. The contractor and the contracting officer should ensure that all of their\npersonnel in IA positions at DTRA are certified.\n\nCentral Repository of Certifications\nThe DTRA official responsible for overseeing DTRA\xe2\x80\x99s compliance with DOD\n8570.01-M requirements did not maintain a central repository of all IA certifications. We\nrequested supporting documentation that substantiated the FISMA submissions, but the\nDTRA official stated that DTRA did not maintain this information. During the course of\nthe audit, the DTRA official began to collect copies of certifications. DTRA should\nmaintain a central repository of all IA certifications to ensure that personnel have met the\nrequirements. In addition, the repository will serve as support for future FISMA and\nDTRA IA Workforce Improvement Program reports.\n\n\n\n\n                                             11\n\n\n\x0cTool for Identification and Tracking of IA Personnel\nDTRA did not have an adequate tracking tool to identify personnel in the IA workforce\nor monitor whether they have obtained the appropriate certifications. During our initial\nvisit in July 2009, a DTRA official provided us with an IA tracking spreadsheet that\nlisted the DTRA IA workforce and the certifications they obtained. However, the official\nstated that the spreadsheet was unreliable and, in August 2009, stated that DTRA did not\nuse it to answer the 2009 FISMA response. When we asked for documentation that\nsupported the 2009 FISMA response, the official provided documents with highlights,\ncrossed-out names, asterisks with no explanations, and hand-written annotations. We\nreviewed each item on the 2009 FISMA response with the official to identify the IA\nworkforce and certifications and found many errors. By not having an adequate tracking\ntool to identify the IA workforce or the certifications that they obtained, DTRA\nincorrectly reported its IA workforce in the 2009 FISMA response. We believe that\nestablishing and maintaining a tracking tool (for example, a database or spreadsheet) will\nhelp reduce the number of errors in DTRA\xe2\x80\x99s reporting of IA personnel and their\ncertifications.\n\nInclusion of Clause in IA Contracts\nDTRA did not ensure that contracting officers added contract language requiring all IA\ncontractor personnel to be certified to contracts for IA services. DFARS 239.7103(b)\nrequires the use of the clause from DFARS 252.239-7001 in solicitations and contracts\ninvolving performance of IA functions. DTRA did not include the required DFARS\nclause in six of seven contracts we identified for IA services. Further, the DOD 8570.01\xc2\xad\nM requires that contract language must specify certification requirements as established\nby the manual, and that existing contracts must be modified at an appropriate time to\ninclude the requirements. The DFARS clause requires each contractor to ensure that\ncontractor personnel have the appropriate baseline and computing environment\ncertifications. In addition, the clause requires that personnel who do not have the\nappropriate certifications be denied access to DOD information systems. DTRA should\ninclude the appropriate DFARS clause in new contracts for performance of IA functions\nand should modify existing contracts to include this clause so that contractors are bound\nto these contractual requirements.\n\nSummary\nDOD 8570.01-M establishes baseline IA technical and management skills among\npersonnel performing IA functions across DOD. Further, DOD 8570.01-M attempts to\nprovide a mechanism to verify IA workforce knowledge and skills through standard\ncertification testing. DTRA personnel did not follow established guidance for\nidentification and certification requirements of personnel having IA responsibilities.\nSpecifically, DTRA did not meet certification requirements for IA personnel, did not\nproperly report IA information to DOD in their 2009 FISMA response, and did not input\nIA information into the Defense Civilian Personnel Data System and the Defense\nWorkforce Certification Application. These conditions occurred because DTRA did not\nadequately oversee its IA workforce. Specifically, DTRA did not have an adequate\nprocess in place to identify IA personnel and monitor whether IA personnel obtained the\n\n\n\n                                           12\n\n\n\x0cappropriate certifications and did not ensure that contracting officers added contract\nlanguage requiring all contractor personnel to be certified to contracts for IA services. As\na result, DTRA\xe2\x80\x99s IA workforce may not have an adequate understanding of the concepts,\nprinciples, and applications of IA to enhance the protection and availability of DTRA\xe2\x80\x99s\ninformation systems and networks. Further, DOD and Congress did not have accurate\ninformation on DTRA\xe2\x80\x99s IA workforce and progress towards meeting milestones\nestablished by DOD 8570.01-M.\n\nRecommendations, Management Comments, and Our\nResponse\nA.1. We recommend that the Director, Defense Threat Reduction Agency, develop\nand implement an adequate process to identify information assurance workforce\npersonnel within the Defense Threat Reduction Agency and monitor whether the\ninformation assurance workforce obtains the appropriate certifications. Specifically\nthe Director, Defense Threat Reduction Agency, should:\n\n       a. Establish an ongoing process through the use of designated points of\ncontact to identify information assurance personnel and to monitor whether the\ninformation assurance personnel obtain the appropriate certifications.\n\nDefense Threat Reduction Agency Comments\nThe Director, Defense Threat Reduction Agency, agreed. The Director, Defense Threat\nReduction Agency, stated that the Defense Threat Reduction Agency will establish a\nprocess with designated personnel to identify information assurance personnel and will\ndetermine whether personnel obtained the appropriate certifications.\n\nOur Response\nThe Defense Threat Reduction Agency comments are responsive, and the actions meet\nthe intent of the recommendation.\n\n      b. Develop an adequate tool to identify and track the information assurance\npersonnel.\n\nDefense Threat Reduction Agency Comments\nThe Director, Defense Threat Reduction Agency, agreed. The Director, Defense Threat\nReduction Agency, stated that the Defense Threat Reduction Agency will procure or\ndevelop a process to track the information assurance workforce.\n\nOur Response\nThe Defense Threat Reduction Agency comments are responsive, and the actions meet\nthe intent of the recommendation.\n\n\n\n\n                                            13\n\n\n\x0c       c. Track whether new civilian and military information assurance personnel\nobtain the appropriate certifications within 6 months of beginning work in an\ninformation assurance position.\n\nDefense Threat Reduction Agency Comments\nThe Director, Defense Threat Reduction Agency, agreed. The Director, Defense Threat\nReduction Agency, stated that the Defense Threat Reduction Agency will develop a tool\nto track information assurance personnel.\n\nOur Response\nThe Defense Threat Reduction Agency comments are responsive, and the actions meet\nthe intent of the recommendation.\n\n      d. Ensure that contractors provide only certified information assurance\npersonnel.\n\nDefense Threat Reduction Agency Comments\nThe Director, Defense Threat Reduction Agency, agreed and stated that the Designated\nApproving Authority issued a letter on January 6, 2010, directing a contractor to ensure\nthat its information assurance workforce meet DOD 8570.01-M certification\nrequirements within 6 months.\n\nOur Response\nThe Defense Threat Reduction Agency comments are responsive, and the actions meet\nthe intent of the recommendation.\n\n      e. Maintain a central repository of certifications for information assurance\npersonnel.\n\nDefense Threat Reduction Agency Comments\nThe Director, Defense Threat Reduction Agency, agreed. The Director, Defense Threat\nReduction Agency, stated that the Defense Threat Reduction Agency will maintain\nelectronic and hard copy certifications of its information assurance workforce.\n\nOur Response\nThe Defense Threat Reduction Agency comments are responsive, and the actions meet\nthe intent of the recommendation.\n\n      f. Enter the required information assurance position information into the\nDefense Civilian Personnel Data System.\n\nDefense Threat Reduction Agency Comments\nThe Director, Defense Threat Reduction Agency, agreed. The Director, Defense Threat\nReduction Agency, stated that the Defense Threat Reduction Agency personnel will enter\n\n\n\n                                           14\n\n\n\x0cthe information assurance workforce data into the Defense Civilian Personnel Data\nSystem by October 1, 2010.\n\nOur Response\nThe Defense Threat Reduction Agency comments are responsive, and the actions meet\nthe intent of the recommendation.\n\n        g. Require information assurance personnel to authorize release of their\ncertification information in the Defense Workforce Certification Application.\n\nDefense Threat Reduction Agency Comments\nThe Director, Defense Threat Reduction Agency, agreed. The Director, Defense Threat\nReduction Agency, stated that the Defense Threat Reduction Agency will require all\ninformation assurance personnel to authorize the release of their certification information\nin the Defense Workforce Certification Application.\n\nOur Response\nThe Defense Threat Reduction Agency comments are responsive, and the actions meet\nthe intent of the recommendation.\n\nA.2. We recommend that the Director, Defense Threat Reduction Agency, include\nthe clause in the Defense Federal Acquisition Regulation Supplement 252.239-7001\nin new contracts for the performance of information assurance functions and\nmodify existing contracts at an appropriate time to include the clause.\n\nDefense Threat Reduction Agency Comments\nThe Director, Defense Threat Reduction Agency, agreed. The Director, Defense Threat\nReduction Agency, stated that the Defense Threat Reduction Agency will include the\nclause in DFARS 252.239-7001 in new contracts and it will review and modify existing\ncontracts where appropriate.\n\nOur Response\nThe Defense Threat Reduction Agency comments are responsive, and the actions meet\nthe intent of the recommendation.\n\nA.3. We recommend that the Assistant Secretary of Defense (Networks and\nInformation Integration)/DOD Chief Information Officer modify DOD 8570.01-M\nto require all DOD information assurance personnel to authorize release of their\ncertification information in the Defense Workforce Certification Application.\n\nAssistant Secretary of Defense (Networks and Information\nIntegration)/DOD Chief Information Officer Comments\nThe Acting Deputy Assistant Secretary of Defense (Identity and Information Assurance)\nin the Office of the Assistant Secretary of Defense (Networks and Information\nIntegration)/DOD Chief Information Officer agreed. The Acting Deputy Assistant\n\n\n                                            15\n\n\n\x0cSecretary stated that the Assistant Secretary of Defense (Networks and Information\nIntegration)/DOD Chief Information Officer modified Change 2 of DOD 8570.01-M to\ninclude a requirement for the information assurance workforce to request release of their\ncertification status to DOD through the Defense Workforce Certification Application.\n\nDefense Threat Reduction Agency Comments\nAlthough not required to comment, the Director, Defense Threat Reduction Agency,\nagreed that the Assistant Secretary of Defense (Networks and Information\nIntegration)/DOD Chief Information Officer should modify DOD 8570.01-M to require\nall DOD information personnel to authorize release of their certification information in\nthe Defense Workforce Certification Application.\n\nOur Response\nThe comments from the Acting Deputy Assistant Secretary of Defense (Identity and\nInformation Assurance) are responsive, and the actions meet the intent of the\nrecommendation.\n\n\n\n\n                                           16\n\n\n\x0cFinding B. Disabling of Accounts\nDTRA did not disable information system accounts in a timely manner after personnel\nleft the agency. Specifically, DTRA did not disable 17 accounts within 9 information\nsystems and networks after personnel left the agency. Additionally, of 87 disabled\naccounts that we reviewed, 84 accounts remained active * more than 5 days after the\npersonnel left the agency, and 66 accounts remained active more than 30 days. The\naccounts remained active because:\n\n    \xe2\x80\xa2\t\t system representatives for most DTRA systems reviewed were not notified when\n        personnel left the agency and\n    \xe2\x80\xa2\t\t DTRA system administrators did not consistently review information system\n        accounts that had not been used in a 30-day period.\n\nAlthough we found no instances of unauthorized access after personnel left DTRA, the\nindividuals could have accessed sensitive information within DTRA information systems\nand networks.\n\nGuidance for Disabling Accounts\nDOD Instruction 8500.02 states that individual accounts designated as inactive,\nsuspended, or terminated should be promptly deactivated.\n\nThe National Institute on Standards and Technology (NIST) issued Special\nPublication 800-53, \xe2\x80\x9cRecommended Security Controls for Federal Information Systems\nand Organizations,\xe2\x80\x9d Revision 3, August 2009, to provide guidance for recommended\nsecurity controls for Federal information systems. NIST Special Publication 800-53\nstates that an organization should manage information system accounts by notifying\naccount managers when temporary accounts are no longer required, information system\nusers leave the agency or are transferred, or information system usage or user need-to\xc2\xad\nknow changes. Further, NIST Special Publication 800-53 states that organizations should\ndeactivate temporary accounts that are no longer required and deactivate accounts of\nusers who leave the agency or are transferred.\n\nDTRA issued its internal DTRA Directive 8500.01, \xe2\x80\x9cDefense Threat Reduction Agency\n(DTRA) Information Assurance (IA),\xe2\x80\x9d January 29, 2007, to establish policy, define roles\nand assign responsibilities to achieve IA within DTRA. DTRA Directive 8500.01 states\nthat user accounts will be removed or reassigned within 2 days of notification that a user\nno longer requires access to the system. The Directive states that users and supervisors\nare responsible for notifying system administrators or IA officers when access is no\nlonger required. Further, DTRA Directive 8500.01 states that system administrators will\nsuspend user accounts and passwords that have not been used in a 30-day period.\n\n\n\n*\n  We consider information system accounts active if the ability to log into the system and access\ninformation has not been disabled.\n\n\n                                                    17\n\n\x0cDisabling of Accounts\nDTRA did not disable 17 accounts after personnel left the agency. Additionally, for\nsome of the accounts that DTRA disabled, they did not do so in a timely manner.\n\nReview of Active Accounts\nDTRA did not disable 17 accounts within 9 information systems and networks after\npersonnel left the agency. We reviewed active accounts for 17 systems at DTRA\nincluding one mission-critical system, 15 mission-essential systems, and one mission-\nsupport system (see the Appendix for additional details on how we selected the DTRA\nsystems for review). We found that 17 accounts within 9 of the 17 systems remained\nactive after personnel had left the agency. Those 17 active accounts included accounts\nfor civilian, military, and contractor personnel and visitors to DTRA. These accounts\nremained active for a period of 33 to 128 days, averaging 65 days, after the personnel had\nleft the agency. Table 5 provides details of the active accounts we found for personnel\nwho had left DTRA and the length of time since they had left.\n\n                Table 5. Active Accounts for Personnel Who Left DTRA\nSystem          Number of Active        Days Active after   Days Active after\n              Accounts for Personnel        Departure           Departure\n                  that Departed                                 (Average)\nA                        1                      48                 48\nB                        5                   35 \xe2\x80\x93 128              60\nC                        2                    36 \xe2\x80\x93 56              46\nD                        1                      37                 37\nE                        3                    85 \xe2\x80\x93 97              91\nF                        1                      90                 90\nG                        1                      97                 97\nH                        2                   34 \xe2\x80\x93 105              70\nI                        1                      33                 33\nTotal                   17                   33 - 128              65*\n*Average days for all 17 accounts rather than average for each of the systems.\n\nTimeliness of Disabling of Accounts\nOf 87 disabled accounts that we reviewed, 84 accounts remained active 5 days after the\npersonnel left the agency, and 66 accounts remained active for over 30 days. We\nattempted to obtain disabled account listings with the dates that the accounts were\ndisabled for all 17 systems that we reviewed; however, we were only able to obtain\n4 complete disabled account listings. We could not obtain listings for many of the\nsystems because of system capabilities. We were able to review 87 accounts that were\ndisabled on or after the date personnel left the agency for the 4 listings we received. The\namount of time it took DTRA personnel to disable the accounts from when the personnel\nleft DTRA ranged from 1 day to 1,392 days and averaged 455 days.\n\n\n\n                                                    18\n\n\x0cTable 6 provides details of the timeliness of disabling accounts for the four account\nlistings we were able to review.\n\n                     Table 6. Timeliness of Disabling of Accounts\n                       Days Before Accounts       # of Accounts\n                           Were Disabled\n                               0-5 Days                  3\n                              6-10 Days                  7\n                             10-30 Days                 11\n                         More than 30 Days              66\n                                 Total                  87\n\nInternal Controls Over Disabling Accounts\nDTRA did not disable accounts in a prompt manner when personnel left their positions\nbecause:\n\n   \xe2\x80\xa2\t\t system representatives for most DTRA systems reviewed were not notified when\n       personnel left the agency and\n   \xe2\x80\xa2\t\t DTRA system administrators did not consistently review information system\n       accounts that had not been used in a 30-day period.\n\nNotification of Personnel Departures\nSystem representatives were not always notified when personnel left DTRA. DTRA\nDirective 8500.01 states that users and supervisors are responsible for notifying system\nadministrators or IA officers when access is no longer required. However, many\naccounts continued to be active well after personnel left the agency. DTRA uses an\nautomatically generated e-mail to notify system personnel of the requirement to disable\naccounts. However, DTRA does not include representatives from all DTRA systems in\nthe e-mail. Instead, this e-mail is sent only to those personnel who voluntarily request\nthat DTRA include them in the e-mail distribution. DTRA includes representatives that\noversee the DTRA networks in the e-mail, but did not include representatives from the\nmajority of the other information systems that we reviewed. During discussions with\nrepresentatives from some of the systems, they informed us that they have no way of\nknowing when personnel leave the agency other than word of mouth. The out-processing\ne-mail could be an effective control if expanded to include representatives from all\nDTRA information systems. DTRA should notify representatives from all DTRA\ninformation systems when personnel leave the agency.\n\nReview of Inactive Accounts\nDTRA system administrators did not consistently review information system accounts\nthat had not been used in a 30-day period. DTRA Directive 8500.01 states that system\nadministrators should suspend user accounts and passwords that have not been used in a\n30-day period. All 17 accounts that we identified as not disabled properly were active for\nmore than 30 days after the personnel left the agency. Further, 66 of the 87 accounts\n\n\n                                            19\n\n\n\x0cdisabled by DTRA were active for more than 30 days after the personnel had left the\nagency. We understand that some accounts may need to remain active for specific\nreasons (for example, travel); however, this should be on an exception basis. DTRA\nshould emphasize the importance of performing routine reviews of active accounts and\nsuspending user accounts and passwords that have not been used in a 30-day period in\naccordance with DTRA guidance.\n\nUnauthorized Access to Sensitive Information\nAs a result of not notifying the appropriate system representatives and not having a\nprocess to identify inactive accounts, unauthorized individuals could have accessed\nsensitive information within DTRA information systems and networks. All of the\nsystems we reviewed except one were reported as either mission-critical or mission-\nessential systems. Additionally, accounts for some systems containing classified\ninformation were not disabled promptly. However, we found no instances of\nunauthorized access for the active accounts we identified that should have been disabled.\nMaintaining proper account management procedures will help ensure the confidentiality\nand integrity of information in DTRA\xe2\x80\x99s information systems.\n\nRecommendations, Management Comments, and Our\nResponse\nB. We recommend that the Director, Defense Threat Reduction Agency:\n\n       1. Notify system representatives for each of the Defense Threat Reduction\nAgency information systems when Defense Threat Reduction Agency personnel,\ncontractors, or other visitors leave the agency.\n\nDefense Threat Reduction Agency Comments\nThe Director, Defense Threat Reduction Agency, agreed. The Director, Defense Threat\nReduction Agency, stated that the Defense Threat Reduction Agency will provide system\nrepresentatives with personnel departure dates. Further, he stated that the system\nrepresentatives will develop procedures to ensure appropriate user account management\nand maintenance.\n\nOur Response\nThe Defense Threat Reduction Agency comments are responsive, and the actions meet\nthe intent of the recommendation.\n\n       2. Establish a process to ensure that active accounts are reviewed at least\nmonthly, and accounts and passwords that have not been used in a 30-day period\nare suspended for all systems in accordance with Defense Threat Reduction Agency\nguidance.\n\nDefense Threat Reduction Agency Comments\nThe Director, Defense Threat Reduction Agency, agreed. The Director, Defense Threat\nReduction Agency, stated that the Defense Threat Reduction Agency disabled all\n\n\n                                           20\n\n\n\x0caccounts identified in the report. Further, he stated that the Defense Threat Reduction\nAgency will develop a monthly review process for disabling inactive accounts.\n\nOur Response\nThe Defense Threat Reduction Agency comments are responsive, and the actions meet\nthe intent of the recommendation.\n\n\n\n\n                                            21\n\n\n\x0cAppendix. Scope and Methodology\nWe conducted this performance audit from June 2009 through February 2010 in\naccordance with generally accepted government auditing standards. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objectives.\nWe believe that the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\nReview of the Information Assurance Workforce\nWe met with personnel from DTRA, the Defense-Wide Information Assurance Program\nfrom the Office of the Assistant Secretary of Defense (Networks and Information\nIntegration)/DOD Chief Information Officer, the Civilian Personnel Management\nService, and the Defense Manpower Data Center.\n\nWe reviewed DOD Directive 8570.01 and DOD 8570.01-M. We also reviewed\nmemoranda issued by the Director, Civilian Personnel Management Service and the\nUnder Secretary of Defense for Personnel and Readiness on June 4, 2007, and August 27,\n2008, respectively.\n\nWe reviewed DTRA\xe2\x80\x99s 2009 FISMA response, which identified DTRA\xe2\x80\x99s IA workforce\nand their certification status. We attempted to verify the response by reviewing\nsupporting documentation; however, we found that DTRA did not maintain adequate\ndocumentation to support the response. With the assistance of the DTRA official\nresponsible for compiling IA personnel data, we manually examined each number on the\nFISMA response and the supporting documentation. We attempted to verify certification\ninformation and identify additional IA personnel certifications by sending e-mails to the\nIA personnel originally identified by DTRA as performing IA functions, meeting with\nselected program managers, and meeting with contracting administrative personnel. We\nasked personnel to provide supporting documentation that showed that IA personnel\nobtained DOD-approved IA baseline certifications and computing environment\ncertifications as required in DOD 8570.01-M.\n\nWe determined whether DTRA had entered IA workforce information into the Defense\nCivilian Personnel Data System. We also determined whether DTRA personnel had\nreleased their IA information using the Defense Workforce Certification Application.\n\nDisabling of Accounts\nWe met with personnel from DTRA and we reviewed DOD Directive 8500.01E and\nDOD Instruction 8500.02. We also reviewed NIST Special Publication 800-53 and\nDTRA Directive 8500.01.\n\nWe decided to review the most sensitive systems at DTRA. We selected 21 systems that\nDTRA reported as either mission-critical or mission-essential for our review. We also\nadded one system that DTRA reported as mission-support; however, we believe that it\n\n\n                                           22\n\n\n\x0cmay have been reported incorrectly. During our first site visit, we determined from\nDTRA personnel that four of the systems we included were groups of hardware and\nsoftware, such as routers, switches, repeaters, and intrusion detection services, used to\nenable the DTRA systems. Also we found that one system had been replaced by another\nsystem. The program manager for the systems told us that it was no longer in use. As a\nresult, we included 17 systems in our review of disabling accounts.\n\nWe requested and obtained listings of all active accounts for each of the 17 systems. We\nalso requested and obtained a listing of active and departed personnel with personnel that\nhad departed as far back as November 2000. Additionally, we requested and obtained a\nlisting of all personnel actions that related to personnel leaving the agency (for example,\nretirements, terminations, and resignations). We compared the listings to determine if the\nlistings of active accounts included any personnel who had left the agency. We then\ndetermined how long the account had inappropriately been active based on the departure\ndates of the personnel. For the active accounts for personnel that had left the agency, we\ndetermined if unauthorized access was gained by the personnel after they departed by\nreviewing the last login dates, if available. We eliminated many entries in our results\nwhere personnel had departed as one category of personnel and came back as another and\nwas still active under that other category (for example, military personnel left the agency\nand returned as contractors and were still current in their database). For the personnel\nwho were listed as departing in multiple categories on different dates, we used the most\nrecent date to compare to the account deletion dates (for example, military personnel who\nleft the agency and returned as contractors and then left the agency at a later date).\n\nWe also requested disabled account listings with the dates that the accounts were disabled\nfor each of the 17 systems reviewed. We received only four disabled account listings\nwith disabled dates that we could use for our review mainly because of system\nconstraints. For those four systems, we compared the disabled accounts listings to the\nactive and departed personnel listing to determine the length of time the accounts\nremained active prior to being disabled. However, we excluded the following types of\naccounts from our review because we could not determine when the account should have\nbeen disabled:\n\n    \xe2\x80\xa2   personnel who still worked at DTRA in any capacity,\n    \xe2\x80\xa2   personnel who left DTRA after the disabled date, and\n    \xe2\x80\xa2   personnel who we could not match to the active and departed personnel listing.\n\nFor the personnel who were listed as departing in multiple categories on different dates,\nwe used the most recent date to compare to the account deletion dates. As a result, we\nwere able to review 87 accounts within the 4 systems.\n\nUse of Computer-Processed Data\nWe did not use computer-processed data to determine whether personnel obtained the\nappropriate certifications. Instead, for those personnel identified by DTRA personnel as\npart of the IA workforce, we obtained electronic and hard-copy supporting\ndocumentation that indicated personnel obtained the appropriate certifications.\n\n\n                                            23\n\n\x0cWe relied on data from DTRA\xe2\x80\x99s Secure Access database that includes information on all\ncurrent and departed personnel. The Secure Access database identifies the departure date\nof those personnel who have left the agency, which we used in our analysis of whether\nDTRA disabled accounts in a timely manner. We did not rely on the departure dates for\nour analysis of active accounts within DTRA systems because we verified the departure\ndates through obtaining other supporting documentation. However, we relied on the\ndeparture dates in the Secure Access database for our analysis on determining\nwhether disabled accounts were disabled in a timely manner for personnel. We selected a\njudgmental sample for the 87 accounts reviewed and requested supporting documentation\nfor the sample of accounts to verify the personnel departure dates. The supporting\ndocumentation validated the departure dates for the accounts we selected. As a result, we\nbelieve we can sufficiently rely on the departure dates in the Secure Access database for\nour analysis.\n\nPrior Coverage\nNo prior audit coverage has been conducted over the last 5 years on certification of IA\npersonnel or disabling of accounts at the Defense Threat Reduction Agency. However,\nthe Government Accountability Office (GAO) has issued one report discussing controls\nover the identification of IA personnel within Defense agencies. Unrestricted GAO\nreports can be accessed over the Internet at http://www.gao.gov.\n\nGAO\nGAO Report No. GAO-07-528, \xe2\x80\x9cInformation Security - Selected Departments Need to\nAddress Challenges in Implementing Statutory Requirements,\xe2\x80\x9d August 2007\n\n\n\n\n                                           24\n\n\n\x0cAssistant Secretary of Defense (Networks and Information\nIntegration)/DOD Chief Information Officer Comments\n\n\n\n\n                               OFFICE OF THE ASStST\n                                             ASSISTAN\n                                                   ANTT SEC\n                                                        SECRETARY\n                                                            RETARY OF DEFENSE\n                                                     6000 DEFENSE PENT PENTA A GON\n                                                     ASHINGTON , D ,. C . 2030\n                                                   W ASHINGTON,           2030106000\n                                                                               j\xc2\xb760oo\n\n\n\n\n    NrTWO\n     IETWOAII\n           KS   \'IN O\n              S "N\n     I N FO/\n         F01lU.A  TlON\n              """ nO N\n     IN f[GIt\n        TtGR ..\n              Ano\n                nO N\n                   ,..\n\n\n\n\n               MEMORANDUM FOR INSPECTOR\n                              INS PECTOR GENERA\n                                         GENERAL,L, DE\n                                                    DEPARTMENT\n                                                       PARTMENT OF DEFENSE\n                              (A TIN: AUDITING; REA\n                                                READINESS,\n                                                    D INESS, OPERATIONS AND\n                                  SUPPORT)\n\n               SUBJECT:\n               SUB JECT: Selected ConContro\n                                         trolls fo\n                                                forr In formation                  Defense\n                                                        formation Assurance at the De fense Threat\n                         Reduc\n                         Red uclt io\n                                  ionn Agency Pr Projecl\n                                                    oject Numb\n                                                             mbeer: D2009\n                                                                    D2009--DOOOLB\n                                                                            OOO LB-02\n                                                                                    -02 16.000 dated\n                         February 16,20 10\n\n                         This is in rrespo nse 10\n                                      esponse  to Drraft Report (attached) date\n                                                                           daledd Feb ruary 16 , 20\n                                                                                  February          10, rreque\n                                                                                                 2010,    equess tin g\n               comme\n               comments\n                     nts on the fi\n                                findings\n                                   ndings and recommenda\n                                              recommendattions contained in the draft repo\n                                                                                      report\n                                                                                           rt..\n\n                       ASD(NII)\n                       ASD(N II )I/ DoD CIO conc concursurs a nd has incorporaled\n                                                                       incorporated inlto C hange 2 of oflhe\n                                                                                                          the D oD\n                             hi ch is c urre\n               8570.01-M, which           rrenntll y be\n                                                     beiing sltaffe\n                                                               affedd (N 1I000 192- 10)\n                                                                      (N1I000192-         thee req\n                                                                                     0),, Ih       uirement\n                                                                                               requireme    fo r ce\n                                                                                                         nl for     rtified\n                                                                                                                 certified\n               fIA Workforce Me\n                              Members\n                                    mbers to request re lease of the ir certification\n                                                                             certification status to thhe DoD via th  thee\n                Defense\n                Defe nse Workforce Certi\n                                      Certification\n                                             fi cation Application\n                                                         Applicat ion (DWCA).\n                                                                        (DWCA) . We expect Change 2 to th        thee 00\n                                                                                                                      000 0\n               8570.0 1-M\n               8570.01-  M 10\n                           to be pub\n                                   publis\n                                               Click to add JPEG file\n                                       lishhed by April 30  30,, 20 10.\n\n                         Thank\n                          hank yo\n                               youu fo\n                                    forr th\n                                         thee opportu\n                                              opportunni ty to comme\n                                                               commennt on th\n                                                                           thee dra        eport\n                                                                                           epo rt..\n\n\n\n\n                                                              cc~i~~,:::::~,,=\n                                                                4f.~:"::::;~,,=\n                                                                   (Info~ation\n                                                                   (Info:t;alion and Ident\n                                                                                     Idenlily\n                                                                                           ity Assurance)\n\n               Attac hm ents:\n               As sstated\n\n\n\n\n                                                                                25\n\x0cDefense Threat Reduction Agency Comments\n\n\n\n\n\n\n                                Defense Threat Reduction Agency\n                                  8725 John J.\n                                             J, Kingman Road\n                                                          Road,, MSC 6201\n                                        Fort Belvoir, VA 22060-6201\n\n\n\n                                                                                  MAR 2 6 2\n                                                                                          2010\n\n      MEMORANDUM FOR DEPAR\n                     DEPARTMENT\n                          TMENT OF DEFENSE INSPECTOR G ENERAL\n\n      SUBJECT:             Threatt Reduction Agency (DTRA) Response io the Discussion\n      SUBJ ECT : Defense Threa\n                 Draft ofa\n                        of a Proposed Report\n                                       Report,, Project No\n                                                        No.. D2009-DOOO\n                                                             D2009-DOOOLB-0216.000,\n                                                                        LB-0216.000,\n                 "Selected\n                 \'\'\'Selected Controls for Infonnation Assurance at the Defense Threat\n                 Reduction Agency"\n\n             Thank you for the opportunity to exexpand\n                                                   pand our response\n                                                             respon se dated March 22, 2010, to\n      the subject report regarding DTRA\'s infonnation assurance controls. OUf expanded\n      responses assign completion dates for each recommendation and clarifies our previous\n      submission. As stated in our first\n                                    firsi response\n                                          response,, the Chief Inform\n                                                               Information\n                                                                      ation Officer is in the\n      process of documenting policy, processes\n                                       processes,, and procedures related to infonnation\n      assurance.. As that documenta\n      assurance            documentation\n                                     tion is completed, we will provide your office copies.\n\n\n\n                                  Click to add JPEG file\n\n                                                       3:;;::::: c          S\n                                                      Kenneth A. Myers\n                                                      Director\n\n      Anachment:\n      Attachment:\n      As stated\n\n\n\n\n                                                                  26\n\x0c    DTRA ACTIONS TO ADDRESS RECOMMENDA\n                             RECOMMENDAnONS   nONS IN DoD IG REPORT\n                  PROJECT NO\n                          NO.. D2009\n                               D2009--DOOOLB\n                                      DOOOLB-- 02\n                                               0216\n                                                  16..000\n\n\nRecommendation A.I: In\n                    Informat\n                       formation\n                             ion Assurance Workforce Personnel\n\n       DTRA Ac\n            Actti ons:\n\n                A.I.a\n                A.I.a.. Concur. DTRA will implement a process and designate personnel\nto prope rl y identify the infonnation assurance workforce. D TRA \' s Ch ief\n   properly                                                                            Infonnation\n                                                                                   eflnformation\n                                DTR..\\ \'s Human Cap\nOfficer, in conjunction with DTR.O\\\'s              Capita itall Office and Agency program\nmanagers, winwi1l identify information assurance technical and managerial positions by\nMay 15, 2010. DTRA will review the app licability\n                                                icabi li ty of personnel certifica   ti ons against\n                                                                            certifications\n                    Information Assurance Tcchnical1evc1\ntheir appropriate lnformution                Tcchnical 1evel and their Information Ass urance\nManagement level. T hese ac     ti ons will be comple\n                              actions          completted as we update position descriptions\nduring the National Security Personnel\n                                Personne l System (NSPS) transi   transition\n                                                                        tion to the General Schedule\n(GS) Sys\n      System\n          tem on June 6, 2010.\n\n             A.\n             A.Il .h.   oncur . DTRA will procure or deve\n                  .b. C oncur.                       devellop a too\n                                                                tool/ process to track\n                                                                    l/process\ninformation assurance personnel. This action will be completed by August 1,,2010.\n                                                                                2010.\n\n                               Click to add JPEG file\n               A.l.c. Concur. DTRA will initially develop a Microsoft SharePoint si te as\n               A.I.c.\na tool to track those identified as members of the IA workforce. T hi\n                                                                   hiss will be comple\n                                                                                completed\n                                                                                       ted\nby August 1I,,2010.\n               2010.\n\n                A.I.d.\n                A .I.d. Co"ncur\n                          Co\'n eur.. DTRA issued a Designated Approving Authority letter on\nJanuary 0 , 2010\n             20 10 , to the lTnforma\n                              nfonnattion Techno\n                                          Technology\n                                                  logy Support Services performer d irecting\n          achieve\nthem to ach   ieve compliance withwi th DoD 8570.0\n                                             8S70.01-M\n                                                     1-M,, "Informatio\n                                                           "Informationn Assurance Training ,\nCertification, and Workforce Management\n                                    Management,," infonnat\n                                                    infonnatiion assurance workforce\ncerti fication requirements within 6 mont\ncertification                            months.\n                                              hs.\n\n               A.I. e . Concur. DTRA will maintain certifications within the Microsoft\nShare Point site and as ha  rd copy within the in\n                         hard                  information\n                                                  formatio n assurance program managers\'\n        This\noffice. Th    actionn will he complctcci\n           is actio           completer! by Au  gust 1, 2 0110.\n                                            August           O.\n\n              A.l.f. Concur\n                      Concur.. DTRA will enter the infonnation\n                                                       information assurance workforce\ninfonmation into Defense Civili\ninfotrnation               Civilian\n                                 an Personnel Data System (DCPDS). DT RA\'s         RA \' s Chief\nInfonnation Officer , in conjunc  tion with DTRA\'s H uman Capital Office and Agency\n                         conjunction\nprogr am managers,\nprogram    anagers , will identify information   assura nc e technical and managerial\n                                     nfo rmation assuranc                      rnanagt:rial\npositions by May 15,2010. DTRA will use DoD 8570.01 and the DoD 8570.01\nFrequently Asked Questions (F AQ) guidance on iden   denttifi\n                                                           ificc ation of in forma tion assurance\nworkforce personnel. This data\n                             duta will be input into DCPDS by October 1I , 20          0.\n                                                                                   20110.\n\n\n\n\n                                                              27\n\x0c             A.I.g. Concur. DTRA.\n             AI.g.             DTR.t\\ will require that all personnel in an information\n                                                                            infonnation\nassurance workforce position authorize the release of their certification information\n                                                                          infonnation using\nthe Defense Workforce Ce\n                      Certification\n                          rtification Application. This action will be completed by\nAugust 1,20 10.\n        1,2010.\n\nRecommendation A.2: Use ofDFAR Supp\n                               Supplement\n                                    lement 252.239-7001 in New and Exist\n                                                                   Existing\n                                                                         ing\nContracts\n\n       DTRA Actions: Concur. DTRA will include the required Defense Federal\nAcquisition Regu\n            Regullation Supplement clause 252.239  -7001 in new contracts. For existing\n                                            252.239-7001\ncontracts, DTRA will scrutinize them for information assurance workforce applicability\n    modify as required. \'!\'hese\nand modity               \'Ihese actions will be completed within 90 days of id\n                                                                            identificati\n                                                                               entification\n                                                                                         on\nofa contract with information assurance\n                               assumnce roles and responsibilities.\n\nRecommendation A.3: Recommendation for ASDlNlIICIO\n                                       ASDINII/CIO to Modify DoD 8570.01 -M.\n\n       DTRA Comment: Con Concur;\n                             cur; however, DTRA cannot affect this change. No action\nrequired by DTRA fur this recommendation.\n\nRecommendation B.l: Notification to System Repre\n                                           Representatives\n                                                 sentatives Regarding Departure of\nPersonnel\n                             Click to add JPEG file\n       DrRA    Actions\' Concur. DTRA will notify system owners of depanure dates of\n       DTRA Actions:\npersonnel. This action will be completed by April 30, 2010. In addition, DTRA systems\n        amJ rtpresCIllatives\nuwners anti rt:prescntati"es will deve lop work instructions to ensure the proper\nmanagement and maintenance or   or user accounts. T his action will be completed by\n      30,2010.\nApril 30, 2010.\n\nRecommendation 8.2:\n               B.2: Establish Monthly Review Process\n\n         DTRA Actions: Concur. Accounts that were iden    identified\n                                                               tified by the DoD IG were\ndisabled. DTRA will develop work instructions for the    tlle disabling of accounts and will\nestablish a monthly review process. This action will be completed by April 30, 20      2010.\n                                                                                          IO.\nUntii l then , accounts are disabled on "Da\nUnt                                     "Date\n                                            te Eligible for Return From Overseas\n                                                                           Overseas"" or when\nan employee terminates employment at DTRA. The DTRA Senior Information\nAssurance Officer will co  conduct\n                             nduct periodic checks to ensure the accounLs        disabl~d.\n                                                                    accounls are tlisabled.\n\n\n\n\n                                               2\n\n\n\n\n                                                           28\n\x0c\x0c'